如果由于某种原因手机时钟/日历在很长一段时间内关闭会发生什么。 TOTP(基于时间的OTP)算法是否会生成无效令牌? 此外,时区在令牌正确中起作用,或者客户端和服务器是否与网络时间协议服务器通信以确保所有内容都已同步?
What happens if for some reason a cell phones clock / calendar is off by a significant amount of time. Does the TOTP (Time based OTP) algorithm generate an invalid token? Also do time zones play a role in the token being correct or does both the client and the server talk to a Network Time Protocol server to ensure that everything is synced up?
最满意答案
是的,如果时钟不同步,那么totp将不会验证。 但是除非你知道客户端时钟是错误的并且服务器时钟是正确的,否则说明令牌无效是不正确的。
不,如果系统设置正确,时区不相关 - 两个设备都应该将散列基于公共数据。 UTC或GMT常用。 您的计算机可能会显示正确的挂钟时间,但可以在错误的时区进行配置。 如果是这种情况,它将无法正确地将时间转换为公共时区。
使用NTP是保持准确时间的一种解决方案(如果您有互联网连接,便宜的一种),但还有其他解决方案。
验证将支持多少时钟抖动取决于实现的算法。
Yes, if the clocks are out of sync then the totp will not validate. But unless you know that the client clock is wrong and the server clock correct, it is not semantically correct to say that the token is invalid.
No, time zones are not relevant provided that the systems are setup correctly - both devices should base the hash on a common datum. UTC or GMT is commonly used. It's possible to have your computer showing the right wall clock time but be configured in the wrong time zone. If this is the case, it won't be able to convert the time to the common timezone correctly.
Using NTP is one solution to keeping accurate time (and a cheap one if you have an internet connection) but there are other solutions.
How much clock jitter the authentication will support is dependent on the implemented algorithm.
更多推荐
发布评论